{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-1634", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-01-29T16:33:38.550Z", "datePublished": "2026-02-07T08:26:37.942Z", "dateUpdated": "2026-04-08T16:51:08.168Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:51:08.168Z"}, "affected": [{"vendor": "alexdtn", "product": "Subitem AL Slider", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.0.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Subitem AL Slider plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `$_SERVER['PHP_SELF']` parameter in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link."}], "title": "Subitem AL Slider <= 1.0.0 - Reflected Cross-Site Scripting via $_SERVER['PHP_SELF']", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/4bfeff72-27de-46a9-b947-f60255b5d062?source=cve"}, {"url": "https://wordpress.org/plugins/subitem-al-slider/"}, {"url": "https://plugins.trac.wordpress.org/browser/subitem-al-slider/trunk/templates/tab1_block1.tpl#L11"}, {"url": "https://plugins.trac.wordpress.org/browser/subitem-al-slider/tags/1.0.0/templates/tab1_block1.tpl#L11"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "baseScore": 6.1, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Abdulsamad Yusuf"}], "timeline": [{"time": "2026-02-06T20:24:49.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-11T15:37:26.777431Z", "id": "CVE-2026-1634", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-11T15:46:14.023Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-1634", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-11T15:37:26.777431Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-11T15:37:27.427Z"}}], "cna": {"title": "Subitem AL Slider <= 1.0.0 - Reflected Cross-Site Scripting via $_SERVER['PHP_SELF']", "credits": [{"lang": "en", "type": "finder", "value": "Abdulsamad Yusuf"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.1, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "alexdtn", "product": "Subitem AL Slider", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "1.0.0"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-02-06T20:24:49.000+00:00", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/4bfeff72-27de-46a9-b947-f60255b5d062?source=cve"}, {"url": "https://wordpress.org/plugins/subitem-al-slider/"}, {"url": "https://plugins.trac.wordpress.org/browser/subitem-al-slider/trunk/templates/tab1_block1.tpl#L11"}, {"url": "https://plugins.trac.wordpress.org/browser/subitem-al-slider/tags/1.0.0/templates/tab1_block1.tpl#L11"}], "descriptions": [{"lang": "en", "value": "The Subitem AL Slider plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `$_SERVER['PHP_SELF']` parameter in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-02-07T08:26:37.942Z"}}}, "cveMetadata": {"cveId": "CVE-2026-1634", "state": "PUBLISHED", "dateUpdated": "2026-02-11T15:46:14.023Z", "dateReserved": "2026-01-29T16:33:38.550Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-02-07T08:26:37.942Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Subitem AL Slider plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `$_SERVER['PHP_SELF']` parameter in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link."}, {"lang": "es", "value": "El plugin Subitem AL Slider para WordPress es vulnerable a cross-site scripting reflejado a trav\u00e9s del par\u00e1metro `$_SERVER['PHP_SELF']` en todas las versiones hasta la 1.0.0, inclusive, debido a una sanitizaci\u00f3n insuficiente de la entrada y un escape de la salida. Esto permite a atacantes no autenticados inyectar scripts web arbitrarios en p\u00e1ginas que se ejecutan si logran enga\u00f1ar a un usuario para que realice una acci\u00f3n como hacer clic en un enlace."}], "id": "CVE-2026-1634", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-02-07T09:16:00.893", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/subitem-al-slider/tags/1.0.0/templates/tab1_block1.tpl#L11"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/subitem-al-slider/trunk/templates/tab1_block1.tpl#L11"}, {"source": "security@wordfence.com", "url": "https://wordpress.org/plugins/subitem-al-slider/"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/4bfeff72-27de-46a9-b947-f60255b5d062?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-17T22:14:20.180478+00:00", "value": {"mitigation_remediation": ["Upgrade the Subitem AL Slider plugin to the latest version that removes the unsanitized use of `$_SERVER['PHP_SELF']`; if no newer version exists, uninstall or disable the plugin entirely.", "Modify the plugin code or site\u2019s template to replace `$_SERVER['PHP_SELF']` with a hard\u2011coded safe value or wrap it in proper escaping functions such as `esc_attr()` or `esc_html()`.", "Deploy or configure a web application firewall or security plugin to detect and block reflected XSS payloads, and monitor site traffic for suspicious query strings containing script code."], "summary": {"action": "Immediate patch", "impact": "Reflected XSS in a WordPress plugin that can be exploited by unauthenticated users to run arbitrary scripts in victims \u2019 browsers"}, "threat_synthesis": {"affected_systems": "WordPress installations using the Subitem AL Slider plugin, vendor alexdtn, in all releases up to and including version 1.0.0. No other vendors or products are currently affected.", "description_and_impact": "The Subitem AL Slider plugin for WordPress contains a flaw in its use of the server variable `$_SERVER['PHP_SELF']` that is not properly escaped. This allows an attacker to craft a URL that injects arbitrary JavaScript code which is then reflected back to the visitor\u2019s browser. The injected script can be used to steal session cookies, deface the site, or redirect users to malicious sites. The vulnerability is easy to trigger and does not require any authentication, meaning any site visitor is potentially exploitable.", "risk_and_exploitability": "The CVSS score of 6.1 indicates a moderate severity, highlighting the potential impact of XSS. The EPSS score of less than 1% reflects a low current exploitation probability, but the awareness of this flaw can still drive future attacks. The vulnerability is not listed in the CISA KEV catalog, so there are no known widespread attacker campaigns exploiting it. The attack vector is likely an unauthenticated user visiting a crafted link or URL containing malicious JavaScript; any user who clicks such a link would be affected."}}}}, "created": "2026-02-09T10:44:41.708749+00:00", "updated": "2026-04-17T22:15:29.467565+00:00", "vendors": ["alexdtn", "alexdtn$PRODUCT$subitem_al_slider", "wordpress", "wordpress$PRODUCT$wordpress"]}